Every piece of data that matters to your business will one day try to walk out the door. It might be an attachment sent to the wrong recipient, a USB drive taken home, a cloud repository opened by mistake or a contract pasted into an artificial intelligence assistant. Data leak prevention — DLP — is the security discipline that exists precisely to see these movements and stop sensitive information from escaping the organization's control.

What DLP is and why it matters

DLP is the set of technologies, policies and processes that identify, monitor and protect sensitive data throughout its entire lifecycle. The goal is simple to state and hard to execute: ensure that critical information — personal data, trade secrets, intellectual property, credentials — does not leave the company in an unauthorized way, whether through carelessness or deliberate action.

Its relevance has grown for three converging reasons. First, data has become the most valuable and most targeted asset organizations hold. Second, work has decentralized: people operate from home, on personal devices and across dozens of cloud applications that IT does not always control. Third, the regulatory environment has hardened — in Brazil, the LGPD imposes concrete protection and notification duties that turn a leak into a legal and reputational problem, not just a technical one.

It is worth distinguishing the two meanings of the acronym. Data Loss deals with the loss of data availability or integrity; Data Leak deals with improper exposure to those who should not have access. In practice, market solutions cover both, and the umbrella term consolidated by Gartner is simply DLP.

The three states of data

A DLP program only works when it understands that data exists in three states, and that each one demands a different kind of control.

  • Data at rest: information stored on file servers, databases, workstations, code repositories and cloud buckets. Here DLP performs discovery and classification, finding sensitive data forgotten in the wrong places.
  • Data in motion: information traveling across the network — emails, web uploads, messages, file transfers. DLP inspects this traffic and decides whether it may proceed.
  • Data in use: information being handled at the endpoint — copied to a USB drive, printed, pasted between applications, captured on screen. It is the hardest state to control, because it happens on the user's device.

Covering only one state leaves obvious gaps. Blocking external email without controlling USB just pushes the leak to another channel. That is why DLP maturity means orchestrating controls across all three states in a coherent way.

Types of DLP and where each one operates

Solutions are usually organized by the point in the infrastructure where they operate. They are not competitors: they are complementary layers.

DLP typeWhere it operatesState coveredExample use
EndpointAgent on the user's deviceIn usePrevent copying a customer spreadsheet to a USB drive
NetworkGateway or proxy at the perimeterIn motionBlock upload of a confidential document to an external site
Cloud / CASBBetween users and SaaS servicesAt rest and in motionDetect personal data in a public share on Google Drive
EmailCorporate mail flowIn motionHold a message with a national ID number sent to an external recipient

Endpoint DLP is the one closest to the user and controls local actions, even when the device is offline. Network DLP watches everything that crosses the traditional perimeter. Cloud DLP, usually delivered through a CASB (Cloud Access Security Broker), has become indispensable because most corporate data now lives in SaaS. Email DLP deserves its own spotlight for being, historically, the number-one channel for accidental leaks.

In practice, the choice is not between one type or another, but about the order of adoption. Organizations that process personal data in volume tend to prioritize email and cloud, where regulatory risk concentrates; engineering and research environments, with strong intellectual property, tend to start at the endpoint to protect code and projects. What matters is that the architecture allows a single policy, applied consistently across all points, rather than isolated rules that contradict one another between layers.

Detection techniques

The heart of DLP is its ability to recognize what is sensitive without burying operations in false alarms. Techniques stack in layers:

  • Regular expressions and patterns: recognize structured formats such as national ID numbers, tax IDs, card numbers (validated by the Luhn check digit) and PIX keys. They are fast, but generate noise when used in isolation.
  • Document fingerprinting: computes a signature of specific files to detect copies and partial versions of known confidential documents.
  • Label-based classification: leverages sensitivity markings applied to the data (for example, "Confidential" or "Restricted") to trigger policies without re-analyzing content every time.
  • EDM and IDM: exact data matching (Exact Data Matching) compares content against real records from a database — a customer list, for example — while indexed document matching (Indexed Document Matching) does the same for documents. These are the most precise techniques for structured data.
  • Machine learning: classifies unstructured content — free text, source code — by similarity to training examples, catching what fixed patterns miss.

The golden rule is combination. An 11-digit number could be a national ID or a product code; when the regex is combined with context, label and real database, the confidence of the alert rises and false positives fall.

Policies and protection actions

Detecting is half the job; the other half is deciding what to do. A DLP policy ties three elements together: which data, in which channel or context and which action. The typical actions form a spectrum of severity:

  • Alert/log: allows the action but generates an event for analysis. It is the starting mode of any deployment.
  • Block: prevents the operation — the email does not go out, the file does not copy.
  • Quarantine: holds the content for review before releasing or discarding it.
  • Encrypt: allows the transfer but protects the data, ensuring only the legitimate recipient can read it.
  • Justify: requires the user to state the reason, educating and holding them accountable without blocking the legitimate flow.

The most common mistake is to start by blocking everything. The mature approach begins in monitoring mode, learns the organization's real behavior, calibrates the policies and only then enables blocking on the highest-risk channels. This preserves productivity and builds the teams' trust in the control.

Integration with data classification and CASB

DLP does not live alone. Its effectiveness depends, first, on good data classification: if the organization knows what is "Public," "Internal," "Confidential" and "Restricted," policies become precise and false positives plummet. Classification is the map; DLP is the guard that consults it.

Second, modern DLP relies on CASB to see the cloud. The CASB brokers access to SaaS services, discovers shadow IT — the applications people adopt without IT approval — and enforces DLP policies over data that never touches the corporate perimeter. Without this integration, a DLP program only sees the on-premise past and stays blind precisely where data circulates most today.

This convergence is the dominant market trend. Modern platforms unify endpoint, network and cloud DLP under a single console, with a single policy library and a consolidated incident queue. For those who run the program, this means writing the rule "customer data does not leave without encryption" once and seeing it applied to email, web upload, SaaS sharing and USB copy, without maintaining four parallel configurations that inevitably diverge.

The leak channels that matter

Knowing where data escapes guides where to invest. The recurring vectors are:

  • Email: still the champion of accidental leaks, especially through recipient autocomplete and wrong attachments.
  • Removable devices (USB): local copying of large volumes, hard to trace without endpoint DLP.
  • Web upload and personal storage: sending files to sites and personal clouds outside the company's governance.
  • Shadow IT: unapproved SaaS applications where corporate data accumulates without control.
  • Generative AI: the fastest-growing channel. Code, contracts and customer data pasted into public assistants can be absorbed into third-party models. Treating AI as an exfiltration channel to be inspected has become mandatory.

DLP and the LGPD

In Brazil, leak prevention has stopped being optional and become part of a legal duty. The General Data Protection Law (Law 13.709/2018) does not mention DLP by name, but it establishes obligations that DLP helps fulfill directly:

  • Article 46: requires processing agents to adopt technical and administrative security measures capable of protecting personal data from unauthorized access and from accidental or unlawful destruction, loss, alteration, communication or dissemination. DLP is one of the most demonstrable technical measures in this regard.
  • Article 47: establishes that the obligation to ensure security extends to everyone who processes the data, even after processing ends.
  • Article 48: requires the controller to notify the National Data Protection Authority (ANPD) and the data subject of any security incident that may cause relevant risk or harm. DLP provides the early detection and the evidence needed for that notification to be timely and well founded.

In other words, DLP does not just prevent the leak: when something escapes, it delivers the record of what happened, enabling incident response and notification to the ANPD within the deadline. In the face of an inspection, demonstrating active DLP controls is concrete evidence of diligence.

References and best practices

A robust DLP program is anchored in recognized references. NIST SP 800-53 provides applicable data protection controls (notably in the system and communications protection families), useful for structuring policies in an auditable way. Gartner consolidated the DLP category and describes the convergence between DLP, CASB and edge security platforms. The Cloud Security Alliance (CSA) offers guides for data protection in cloud environments, complementing what the CASB executes in practice. And on the Brazilian legal side, the LGPD and the guidance from the ANPD define what needs to be protected and what to do when protection fails.

How Decripte helps

Data leak prevention is not the purchase of a tool — it is a program that combines discovery, classification, policy, technology and response, calibrated to the size and risk of each organization. Decripte is a B2B cybersecurity company that structures this journey end to end, from the micro-business with a handful of employees to the corporation with more than one hundred thousand, always connecting DLP controls to the concrete requirements of the LGPD and to the operational reality of each client.

If you want to map where your data might be escaping before you invest, start for free through our intelligence center. And when you are ready to deploy a complete protection program, explore our plans and choose the level of defense right for your business.